Protecting the keys to your kingdom (aka your email)

 

The growing threat of business email compromise

According to the FBI, in 2016, email compromise costed businesses in America $360 million per year. To compare, in 2019, this number grew to $1.77 billion and is likely to continue to rise. Over 24,000 enterprise businesses have been affected by an email compromise over the three year span as well.

Q: Why are we seeing a trend in this area?

A: Criminals tend to go after low hanging fruit and unfortunately, this is an easy one for them today. Social engineering, which is the bulk of what we're seeing, is very difficult to pick up with technology. It relies on the victim to be able to sense an issue and avoid it. It's not always easy, but can most certainly be done.

Q: How has the security community been challenged over the last 12 months regarding work from home?

A: In 2020, criminals had a record breaking year in regards to the money they've earned, and this is for two reasons. One, their home office protection is often less than adequate compared to inside of their office. Two, if they receive a "phishy" email, they're on their own to spot it and make a decision. In the office, you have coworkers you can get another opinion on it. All in all, the overall structure of a home office environment is much easier for criminals to take advantage of.

Why do they do it?

1) It's cheap

2) It's easy

The tools that cybercriminals use are relatively inexpensive. Some of them are free and most of them aren't any more than $40. Keep in mind, this is a very small list compared to what is actually out there.

Cyber-Criminal-Tools

Most of these tools aren't even made for bad actors - it's what ethical hackers use to purposefully test environments, trying to prevent attacks. Just know that someone with a very low skill level can access these tools and attempt to compromise your business.

How do they do it?

They will often use phishing to get you to use your email credentials to "log in" to their look-a-like website. Sometimes, they'll even call and pretend to be a vendor, like your IT company, requesting your email password.

Types of attacks

1) Bogus email scheme: They'll compromise an email account, find a legitimate email like an invoice, and replicate it. They'll know who invoices normally come from and see exactly what the invoice looks like to make it as realistic as possible.

2) CEO fraud: They'll pretend to be an executive in the same company that the victim works for and ask the employee to do something for them, like send a wire transfer or purchase gift cards. If an email has been compromised, they'll send the email through the actual email account of the executive, making it extremely hard to spot.

3) Account compromise: They'll compromise an email account, set up an email transport rule that you don't even know about, and forward your emails to an external email account.

Please keep in mind that these are only three of the many types of attacks that are out there today.

The solve

1) Carefully scrutinize all emails. Train your employees to look out for emails that seem out of the ordinary, contain a sense of urgency with consequences, and pay special attention to requests from high level executives. 

2) Verify requests and changes by communicating through another form. For example, if you get a strange email, call that person to verify it was them rather than emailing back. You can also avoid clicking on a bad link from, for example your bank, by navigating to the website yourself.

3) Raise your staff's awareness. If they're not educated, they're probably not paying attention. The best security posture is ongoing training and ongoing testing. Find the weak links by testing, and use training to continuously improve!

How can we help?

Please contact us today to implement the proper training and testing customized just for your team! 

Tags: